LDAP logins not working

All about webserver configurations, PHP and databases.

Moderator: Thorsten

Post Reply
mcnigelmcgruff
Posts: 2
Joined: Sat Nov 03, 2012 5:01 pm

LDAP logins not working

Post by mcnigelmcgruff »

Hello,
I have been at this for some time and absolutely cannot figure out what isn't working.
Working with Microsoft Windows 2012 AD in a test environment. Defaults for everything.
Web server is Windows 2008 R2 with IIS 7.5 and PHP 5.3.18 with the LDAP module installed.
I have gone to /config/constants_ldap.php, but did not need to change any settings.
I have set the following in ldap.php:
$PMF_LDAP['ldap_server'] = 'ad.example.com';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'phpmyfaq'; (have also tried full dn)
$PMF_LDAP['ldap_password'] = 'phpmyfaq'; (yes, I know this isn't secure, but it's a test environment)
$PMF_LDAP['ldap_base'] = "cn=Users,dc=example,dc=com";

and went to administration -> configuration -> security configuration -> enable LDAP support
and checked the box

I created a variety of test accounts in the Users container, but for all of them (and any other users on AD), it tells me it is a wrong username or password.
I tried another clean install with the same values, except to enable LDAP at install time; no change.
Checked AD logs, but found no errors.
I have another piece of PHP software on the same web server that can authenticate to AD without issues (Tiki).

Been going over this again and again and can't find anything to suggest what is wrong. Can anyone offer a suggestion?
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP logins not working

Post by Thorsten »

Hi,

please try to enable the DEBUG mode in inc/Init.php and try it again.

Which phpMyFAQ version do you use?

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
mcnigelmcgruff
Posts: 2
Joined: Sat Nov 03, 2012 5:01 pm

Re: LDAP logins not working

Post by mcnigelmcgruff »

Thank you very much for the help. The debug mode is incredibly useful.
Found that the problem was not with the software, but with Active Directory.
The debug mode told me that it was having LDAP bind issues, which, for some reason, did not show up in the AD audit log.
The real problem was that Microsoft still can't stick to standards for LDAP. Once an account is created, the <Full Name> value (LDAP displayName) is used to determine the DN, not the username or sAMAccountName values. Once set, even ADSI Edit can't change the DN. Being a good AD admin, I tried to set a descriptive name in the Full Name field, and then bind to the username for the DN. Once changed to the DN value in ADSI Edit, everything works without issue. In addition, it required the full DN, any partial or just the username, and it would fail.
Didn't have any issues with the other PHP software because the account that I used for that had been created hastily and the Full Name matched the username.

Now that that has been taken care of, everything appears to be working properly.
Thank you very much for your help, and your very quick response.
Thorsten
Posts: 15560
Joined: Tue Sep 25, 2001 11:14 am
Location: #phpmyfaq
Contact:

Re: LDAP logins not working

Post by Thorsten »

Hi,

thanks for the hint... I think we should try to improve the ADS support :-)

bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
Post Reply